Determination of On-Intranet or Off-Intranet

  • Article

A network location server is an internal network server that hosts an HTTPS-based uniform resource locator (URL). DirectAccess clients access the URL to determine whether they are located on the intranet. The DirectAccess server can be the network location server but a high-availability Web server is recommended. The Web server does not have to be dedicated as a network location server.

Because the behavior of the DirectAccess client depends on the response from the network location server, it is critical to ensure that this Web site is available from each remote branch site. Branch locations may need a separate dedicated network location Web site at each branch location to ensure that the Web site remains accessible even in the event of a link failure. We recommend that the network location server be highly available (for example, behind a cluster) and separate from the DirectAccess server.

How intranet detection works

When a DirectAccess client starts up or experiences a significant network change event (such as change in link status or a new IP address), it assumes that it is not on the intranet and uses the configured entries in the NRPT to determine where to send DNS name queries. The DirectAccess client then attempts to resolve the FQDN in the URL for the network location server. Because the NRPT is active, this FQDN should either match an exemption entry or no entries in the NRPT so that the DirectAccess client can use intranet DNS servers configured in the client’s TCP/IP settings.If the FQDN matches the entry in the NRPT for your intranet namespace, the DirectAccess client will attempt to resolve the FQDN by sending DNS queries to the IPv6 addresses in the corresponding NRPT entry.

After resolving the FQDN, the DirectAccess client must be able to successfully connect to the HTTPS-based URL of the network location server, which includes an SSL-based authentication and verification of the server certificate offered by the network location server. For authenticating the DirectAccess client, use anonymous authentication or NTLM. Certificate verification includes validating the certificate and verifying that it has not been revoked.

The certificate offered by the network location server must have the following:

  • An intranet IPv4 address of the network location server or an FQDN that matches the FQDN in the URL in the Subject field of the certificate.

  • A certificate revocation list (CRL) distribution point that is accessible by DirectAccess clients connected to the intranet.

Just like the URL for the network location server, the FQDN in the URL for the CRL distribution point should either match an exemption entry or no entries in the NRPT so that the DirectAccess client can use intranet DNS servers configured in the client’s TCP/IP settings to resolve the name. If the DirectAccess client cannot resolve the FQDN in the URL for the CRL distribution point, intranet location detection fails and the DirectAccess client cannot use DNS to access intranet resources.

When the DirectAccess client successfully accesses the HTTPS-based URL of the network location server and verifies its certificate, it determines that it is on the intranet, the NRPT entries are removed from the active table, and the DirectAccess client uses the DNS servers configured in the client’s TCP/IP settings to resolve all names.